basic auth: fix timing oracle

2025-10-17 22:32:26 +08:00 · 2021-01-12 16:07:24 +02:00 · 2021-01-12 16:07:24 +02:00 · 883f03262f
commit 883f03262f
parent f4bc259de3
1 changed files with 2 additions and 1 deletions
--- a/auth.go
+++ b/auth.go
@ -5,6 +5,7 @@
 package gin

 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"net/http"
 	"strconv"
@ -30,7 +31,7 @@ func (a authPairs) searchCredential(authValue string) (string, bool) {
 		return "", false
 	}
 	for _, pair := range a {
-		if pair.value == authValue {
+		if subtle.ConstantTimeCompare([]byte(pair.value), []byte(authValue)) == 1 {
 			return pair.user, true
 		}
 	}